draft-ietf-dnsext-delegation-signer-12.txt   draft-ietf-dnsext-delegation-signer-13.txt 
DNSEXT Working Group Olafur Gudmundsson DNSEXT Working Group Olafur Gudmundsson
<draft-ietf-dnsext-delegation-signer-12.txt> <draft-ietf-dnsext-delegation-signer-13.txt>
Updates: RFC 1035, RFC 2535, RFC 3008, RFC 3090. Updates: RFC 1035, RFC 2535, RFC 3008, RFC 3090.
Delegation Signer Resource Record Delegation Signer Resource Record
Status of this Memo Status of this Memo
This document is an Internet-Draft and is in full conformance with This document is an Internet-Draft and is in full conformance with
all provisions of Section 10 of RFC2026. all provisions of Section 10 of RFC2026.
skipping to change at page 1, line 34 skipping to change at page 1, line 34
The list of current Internet-Drafts can be accessed at The list of current Internet-Drafts can be accessed at
http://www.ietf.org/ietf/1id-abstracts.txt http://www.ietf.org/ietf/1id-abstracts.txt
The list of Internet-Draft Shadow Directories can be accessed at The list of Internet-Draft Shadow Directories can be accessed at
http://www.ietf.org/shadow.html http://www.ietf.org/shadow.html
Comments should be sent to the authors or the DNSEXT WG mailing list Comments should be sent to the authors or the DNSEXT WG mailing list
namedroppers@ops.ietf.org namedroppers@ops.ietf.org
This draft expires on June 4, 2003. This draft expires on August 28, 2003.
Copyright Notice Copyright Notice
Copyright (C) The Internet Society (2002). All rights reserved. Copyright (C) The Internet Society (2003). All rights reserved.
Abstract Abstract
The delegation signer (DS) resource record is inserted at a zone cut The delegation signer (DS) resource record is inserted at a zone cut
(i.e., a delegation point) to indicate that the delegated zone is (i.e., a delegation point) to indicate that the delegated zone is
digitally signed and that the delegated zone recognizes the indicated digitally signed and that the delegated zone recognizes the indicated
key as a valid zone key for the delegated zone. The DS RR is a key as a valid zone key for the delegated zone. The DS RR is a
modification to the DNS Security Extensions definition, motivated by modification to the DNS Security Extensions definition, motivated by
operational considerations. The intent is to use this resource record operational considerations. The intent is to use this resource record
as an explicit statement about the delegation, rather than relying on as an explicit statement about the delegation, rather than relying on
skipping to change at page 4, line 26 skipping to change at page 4, line 26
rather than the NULL KEY record at every unsecure delegation required rather than the NULL KEY record at every unsecure delegation required
by RFC 2535, only secure delegations require additional information by RFC 2535, only secure delegations require additional information
in the form of a signed DS RRset. in the form of a signed DS RRset.
The main disadvantage of this approach is that verifying a zone's KEY The main disadvantage of this approach is that verifying a zone's KEY
RRset requires two signature verification operations instead of the RRset requires two signature verification operations instead of the
one required by RFC 2535. There is no impact on the number of one required by RFC 2535. There is no impact on the number of
signatures verified for other types of RRsets. signatures verified for other types of RRsets.
Even though DS identifies two roles for KEY's, Key Signing Key (KSK) Even though DS identifies two roles for KEY's, Key Signing Key (KSK)
and Zone Sigining Key (ZSK), there is no requirement that zone use and Zone Signing Key (ZSK), there is no requirement that zone use two
two different keys for these roles. It is expected that many small different keys for these roles. It is expected that many small zones
zones will only use one key, while larger organizations will be more will only use one key, while larger organizations will be more likely
likely to use multiple keys. to use multiple keys.
2.2 Protocol Change 2.2 Protocol Change
All DNS servers and resolvers that support DS MUST support the OK bit All DNS servers and resolvers that support DS MUST support the OK bit
[RFC3225] and a larger message size [RFC3226]. In order for a [RFC3225] and a larger message size [RFC3226]. In order for a
delegation to be considered secure the delegation MUST contain a DS delegation to be considered secure the delegation MUST contain a DS
RRset. If a query contains the OK bit, a server returning a referral RRset. If a query contains the OK bit, a server returning a referral
for the delegation MUST include the following RRsets in the authority for the delegation MUST include the following RRsets in the authority
section in this order: section in this order:
If DS RRset is present: If DS RRset is present:
parent NS RRset parent NS RRset
DS and SIG(DS) DS and SIG(DS)
If no DS RRset is present: If no DS RRset is present:
parent NS RRset parent NS RRset
parent NXT and SIG(NXT) parent NXT and SIG(NXT)
This increases the size of referral messages and may cause some or This increases the size of referral messages and causing some or all
all glue to be omitted. If the DS or NXT RRsets with signatures do glue to be omitted. If the DS or NXT RRsets with signatures do not
not fit in the DNS message, the TC bit MUST be set. Additional fit in the DNS message, the TC bit MUST be set. Additional section
section processing is not changed. processing is not changed.
A DS RRset accompanying a NS RRset indicates that the child zone is A DS RRset accompanying a NS RRset indicates that the child zone is
secure. If a NS RRset exists without a DS RRset, the child zone is secure. If a NS RRset exists without a DS RRset, the child zone is
unsecure (from the parents point of view). DS RRsets MUST NOT appear unsecure (from the parents point of view). DS RRsets MUST NOT appear
at non-delegation points or at a zone's apex. at non-delegation points or at a zone's apex.
Section 2.2.1 defines special considerations related to authoritative Section 2.2.1 defines special considerations related to authoritative
servers responding to DS queries and replaces RFC2535 sections 2.3.4 servers responding to DS queries and replaces RFC2535 sections 2.3.4
and 3.4. Section 2.2.2 replaces RFC3008 section 2.7, and section and 3.4. Section 2.2.2 replaces RFC3008 section 2.7, and section
2.2.3 updates RFC3090. 2.2.3 updates RFC3090.
skipping to change at page 6, line 26 skipping to change at page 6, line 26
That is, it answers as if it is authoritative and the DS record does That is, it answers as if it is authoritative and the DS record does
not exist. DS-aware recursive servers will query the parent zone at not exist. DS-aware recursive servers will query the parent zone at
delegation points, so will not be affected by this. delegation points, so will not be affected by this.
A server authoritative for only the child zone at a delegation point A server authoritative for only the child zone at a delegation point
that is also a caching server MAY (if the RD bit is set in the query) that is also a caching server MAY (if the RD bit is set in the query)
perform recursion to find the DS record at the delegation point, and perform recursion to find the DS record at the delegation point, and
may return the DS record from its cache. In this case, the AA bit may return the DS record from its cache. In this case, the AA bit
MUST not be set in the response. MUST not be set in the response.
2.2.1.2 Special processing when child and an ancestor share server 2.2.1.2 Special processing when child and an ancestor share server"
When a child zone and a ancestor other than parent share an Special rules are needed to permit DS RR aware servers to gracefully
authorative server, a DS aware server MUST answer with information interact with older caches which otherwise might falsely label a
from child zone, as specified in section 2.2.1.1. This is to prevent server as lame because of the new placement of the DS RR set.
the server to be marked as lame for child.
This answer can cause problem for a DS aware resolver that is Such a situation might arise when a server is authoritative for both
traversing this branch of the DNS tree for the first time. The a zone and it's grandparent, but not the parent. This sounds like an
resolver is expecting to get back either DS record or a delegation obscure example, but it is very real. The root zone is currently
information. The SOA with same name as QNAME informs the resolver served on 13 machines, and "root-servers.net." is served on 4 of the
that the answer orignated from the zone below the one where the DS same 13, but "net." is served elsewhere.
resides. At this point the resolver has no information on how to get
from the ancestor to the parent. In this case the resolver SHOULD When a server receives a query for (<QNAME>, DS, IN), the response
attempt to fetch the delegation information by issuing a query with a MUST be determined from reading these rules in order:
QNAME one label shorter and type NS. This will yield the NS set for
the parent, allowing the resolver to query for the DS record. 1) If the server is authoritative for the zone that holds the DS RR
set (i.e., the zone that delegates <QNAME> away, aka the "parent"
zone), the response contains the DS RR set as an authoritative
answer.
2) If the server is offering recursive service and the RD bit is set
in the query, the server performs the query itself (according to the
rules for resolvers described below) and returns it's findings.
3) If the server is authoritative for the zone that holds the
<QNAME>'s SOA RR set, the response is an authoritative negative
answer as described in 2.2.1.1.
4) If the server is authoritative for a zone or zones above the
QNAME, a referral to the most enclosing zone's servers is made.
5) If the server is not authoritative for any part of the QNAME, a
response indicating a lame server for QNAME is given.
Using these rules will require some special processing on the part of
a DS RR aware resolver. To illustrate this, an example is used.
Assuming a server is authoritative for roots.example.net. and for the
root zone but not the intervening two zones (or the intervening two
label deep zone). Assume that QNAME=roots.example.net., QTYPE=DS,
and QCLASS=IN.
The resolver will issue this request (assuming no cached data)
expecting a referral to a net. server. Instead, rule number 3 above
applies and a negative answer is returned by the server. The
reaction by the resolver is not to accept this answer as final as it
can determine from the SOA RR in the negative answer the context
within which the server has answered.
A solution to this is to instruct the resolver to hunt for the
authoritative zone of the data in a brute force manner.
This can be accomplished by taking the owner name of the returned SOA
RR and strip off enough left-hand labels until a successful NS
response is obtained. A successful response here means that the
answer has NS records in it. (Entertaining the possibility that a
cut point may be two labels down in a zone.)
Returning to the example, the response will include a negative answer
with either the SOA RR for "roots.example.net." or "example.net."
depending on whether roots.example.net is a delegated domain. In
either case, removing the least significant label of the SOA owner
name will lead to the location of the desired data.
2.2.1.3 Modification on KEY RR in the construction of Responses
This section updates RFC2535 section 3.5 by replacing it with the
following:
An query for KEY RR MUST NOT trigger any additional section
processing. Security aware resolver will include corresponding SIG
records in the answer section.
KEY records SHOULD NOT be added to additional records section in
response to any query.
RFC2535 included rules to in add KEY records to additional section
when SOA or NS records where included in an answer. The is was done
to reduce round trips (in the case of SOA) and to force out NULL
KEY's (in the NS case), as this document obsoletes NULL keys there is
no need for the second case, the first case causes redundant
transfers of KEY RRset as SOA is included in the authority section of
negative answers.
RFC2535 section 3.5 also included rule for adding KEY RRset to query
for A and AAAA, as Restrict KEY[RFC3445] eliminated use of KEY RR by
all applications therfore the rule is not needed anymore.
2.2.2 Signer's Name (replaces RFC3008 section 2.7) 2.2.2 Signer's Name (replaces RFC3008 section 2.7)
The signer's name field of a SIG RR MUST contain the name of the zone The signer's name field of a SIG RR MUST contain the name of the zone
to which the data and signature belong. The combination of signer's to which the data and signature belong. The combination of signer's
name, key tag, and algorithm MUST identify a zone key if the SIG is name, key tag, and algorithm MUST identify a zone key if the SIG is
to be considered material. This document defines a standard policy to be considered material. This document defines a standard policy
for DNSSEC validation; local policy may override the standard policy. for DNSSEC validation; local policy may override the standard policy.
There are no restrictions on the signer field of a SIG(0) record. There are no restrictions on the signer field of a SIG(0) record.
skipping to change at page 7, line 42 skipping to change at page 9, line 21
If a zone cannot get its parent to advertise a DS record for it, the If a zone cannot get its parent to advertise a DS record for it, the
child zone cannot be considered globally secured. The only exception child zone cannot be considered globally secured. The only exception
to this is the root zone, for which there is no parent zone. to this is the root zone, for which there is no parent zone.
2.2.3.3 RFC3090 section 3: Experimental Status. 2.2.3.3 RFC3090 section 3: Experimental Status.
The only difference between experimental status and globally secured The only difference between experimental status and globally secured
is the missing DS RRset in the parent zone. All locally secured zones is the missing DS RRset in the parent zone. All locally secured zones
are experimental. are experimental.
2.2.4 NULL KEY elimination
RFC3445 section 3 elminates the top two bits in the flags field of
KEY RR. These two bits where used to indicate NULL KEY or NO KEY.
RFC3090 defines that zone that defines that zone is either secure or
not, eliminates the possible need to put NULL keys in the zone apex
to indicate that the zone is not secured for a algorithm. Along with
this document these other two elminate all uses for the NULL KEY,
Thus this document obsoletes NULL KEY.
2.3 Comments on Protocol Changes 2.3 Comments on Protocol Changes
Over the years there have been various discussions surrounding the Over the years there have been various discussions surrounding the
DNS delegation model, declaring it to be broken because there is no DNS delegation model, declaring it to be broken because there is no
good way to assert if a delegation exists. In the RFC2535 version of good way to assert if a delegation exists. In the RFC2535 version of
DNSSEC, the presence of the NS bit in the NXT bit map proves there is DNSSEC, the presence of the NS bit in the NXT bit map proves there is
a delegation at this name. Something more explicit is needed and the a delegation at this name. Something more explicit is needed and the
DS record addresses this need for secure delegations. DS record addresses this need for secure delegations.
The DS record is a major change to DNS: it is the first resource The DS record is a major change to DNS: it is the first resource
skipping to change at page 9, line 7 skipping to change at page 10, line 47
KEY_RR_rdata = Flags | Protocol | Algorithm | Public Key KEY_RR_rdata = Flags | Protocol | Algorithm | Public Key
Digest type value 0 is reserved, value 1 is SHA-1, and reserving Digest type value 0 is reserved, value 1 is SHA-1, and reserving
other types requires IETF standards action. For interoperabilty other types requires IETF standards action. For interoperabilty
reasons, as few digest algorithms as possible should be reserved. The reasons, as few digest algorithms as possible should be reserved. The
only reason to reserve additional digest types is to increase only reason to reserve additional digest types is to increase
security. security.
DS records MUST point to zone KEY records that are allowed to DS records MUST point to zone KEY records that are allowed to
authenticate DNS data. The indicated KEY record's protocol field authenticate DNS data. The indicated KEY record's protocol field
MUST be set to 3; flag field bits 0 and 6 MUST be set to 0; bit 7 MUST be set to 3; flag field bit 7 MUST be set to 1. The value of
MUST be set to 1. The value of other bits is not significant for the other flag bits is not significant for the purposes of this document.
purposes of this document.
The size of the DS RDATA for type 1 (SHA-1) is 24 bytes, regardless The size of the DS RDATA for type 1 (SHA-1) is 24 bytes, regardless
of key size, new digest types probably will have larger digests. of key size, new digest types probably will have larger digests.
2.4.1 Justifications for Fields 2.4.1 Justifications for Fields
The algorithm and key tag fields are present to allow resolvers to The algorithm and key tag fields are present to allow resolvers to
quickly identify the candidate KEY records to examine. SHA-1 is a quickly identify the candidate KEY records to examine. SHA-1 is a
strong cryptographic checksum: it is computationally infeasible for strong cryptographic checksum: it is computationally infeasible for
an attacker to generate a KEY record that has the same SHA-1 digest. an attacker to generate a KEY record that has the same SHA-1 digest.
skipping to change at page 10, line 44 skipping to change at page 12, line 34
2535-style signatures at child zone apexes and forcing rapid 2535-style signatures at child zone apexes and forcing rapid
deployment of DS-enabled servers and resolvers. deployment of DS-enabled servers and resolvers.
RFC 2535 and DS can in theory be deployed in parallel, but this would RFC 2535 and DS can in theory be deployed in parallel, but this would
require resolvers to deal with RFC 2535 configurations forever. This require resolvers to deal with RFC 2535 configurations forever. This
document obsoletes the NULL KEY in parent zones, which is a difficult document obsoletes the NULL KEY in parent zones, which is a difficult
enough change that a flag day is required. enough change that a flag day is required.
2.7 KEY and corresponding DS record example 2.7 KEY and corresponding DS record example
This is a example of a KEY record and corresponding DS record. This is an example of a KEY record and the corresponding DS record.
dskey.example. KEY 256 3 1 ( dskey.example. KEY 256 3 1 (
AQPwHb4UL1U9RHaU8qP+Ts5bVOU1s7fYbj2b3CCbzNdj AQPwHb4UL1U9RHaU8qP+Ts5bVOU1s7fYbj2b3CCbzNdj
4+/ECd18yKiyUQqKqQFWW5T3iVc8SJOKnueJHt/Jb/wt 4+/ECd18yKiyUQqKqQFWW5T3iVc8SJOKnueJHt/Jb/wt
) ; key id = 28668 ) ; key id = 28668
DS 28668 1 1 49FD46E6C4B45C55D4AC69CBD3CD34AC1AFE51DE DS 28668 1 1 49FD46E6C4B45C55D4AC69CBD3CD34AC1AFE51DE
3 Resolver 3 Resolver
3.1 DS Example 3.1 DS Example
skipping to change at page 13, line 37 skipping to change at page 15, line 37
Massey, Olaf Kolman, Phillip Hallam-Baker, Miek Gieben, Havard Massey, Olaf Kolman, Phillip Hallam-Baker, Miek Gieben, Havard
Eidnes, Donald Eastlake 3rd., Randy Bush, David Blacka, Steve Eidnes, Donald Eastlake 3rd., Randy Bush, David Blacka, Steve
Bellovin, Rob Austein, Derek Atkins, Roy Arends, Mark Andrews, Harald Bellovin, Rob Austein, Derek Atkins, Roy Arends, Mark Andrews, Harald
Alvestrand, and others have provided useful comments. Alvestrand, and others have provided useful comments.
Normative References: Normative References:
[RFC1035] P. Mockapetris, ``Domain Names - Implementation and [RFC1035] P. Mockapetris, ``Domain Names - Implementation and
Specification'', STD 13, RFC 1035, November 1987. Specification'', STD 13, RFC 1035, November 1987.
[RFC2181] R. Elz, R. Bush, ``Clarifications to the DNS Specification'',
RFC 2181, July 1997.
[RFC2535] D. Eastlake, ``Domain Name System Security Extensions'', RFC [RFC2535] D. Eastlake, ``Domain Name System Security Extensions'', RFC
2535, March 1999. 2535, March 1999.
[RFC3008] B. Wellington, ``Domain Name System Security (DNSSEC) Signing [RFC3008] B. Wellington, ``Domain Name System Security (DNSSEC) Signing
Authority'', RFC 3008, November 2000. Authority'', RFC 3008, November 2000.
[RFC3090] E. Lewis `` DNS Security Extension Clarification on Zone [RFC3090] E. Lewis `` DNS Security Extension Clarification on Zone
Status'', RFC 3090, March 2001. Status'', RFC 3090, March 2001.
[RFC3445] D. Massey, S. Rose ``Limiting the scope of the KEY Resource
Record (RR)``, RFC 3445, December 2002.
Informational References
[RFC2181] R. Elz, R. Bush, ``Clarifications to the DNS Specification'',
RFC 2181, July 1997.
[RFC3225] D. Conrad, ``Indicating Resolver Support of DNSSEC'', RFC [RFC3225] D. Conrad, ``Indicating Resolver Support of DNSSEC'', RFC
3225, December 2001. 3225, December 2001.
[RFC3226] O. Gudmundsson, ``DNSSEC and IPv6 A6 aware server/resolver [RFC3226] O. Gudmundsson, ``DNSSEC and IPv6 A6 aware server/resolver
message size requirements'', RFC 3226, December 2001. message size requirements'', RFC 3226, December 2001.
Author Address Author Address
Olafur Gudmundsson Olafur Gudmundsson
PO Box 6306 3821 Village Park Drive
Washington, DC, 20015 Chevy Chase, MD, 20815
USA USA
<ogud@ogud.com> <ogud@ogud.com>
Full Copyright Statement Full Copyright Statement
Copyright (C) The Internet Society (2002). All Rights Reserved. Copyright (C) The Internet Society (2003). All Rights Reserved.
This document and translations of it may be copied and furnished to This document and translations of it may be copied and furnished to
others, and derivative works that comment on or otherwise explain it others, and derivative works that comment on or otherwise explain it
or assist in its implementation may be prepared, copied, published or assist in its implementation may be prepared, copied, published
and distributed, in whole or in part, without restriction of any and distributed, in whole or in part, without restriction of any
kind, provided that the above copyright notice and this paragraph are kind, provided that the above copyright notice and this paragraph are
included on all such copies and derivative works. However, this included on all such copies and derivative works. However, this
document itself may not be modified in any way, such as by removing document itself may not be modified in any way, such as by removing
the copyright notice or references to the Internet Society or other the copyright notice or references to the Internet Society or other
Internet organizations, except as needed for the purpose of Internet organizations, except as needed for the purpose of
 End of changes. 

This html diff was produced by rfcdiff 1.23, available from http://www.levkowetz.com/ietf/tools/rfcdiff/